Exploring RADIUS

Brad Antoniewicz

www.foundstone.com

Copyright © 2014

McAfee, Inc. 2 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

Hi, I’m @brad_anton

www.foundstone.com

Copyright © 2014

McAfee, Inc. 3 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

Thank You, Canada!

www.foundstone.com

Copyright © 2014

McAfee, Inc. 4 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

www.foundstone.com

Copyright © 2014

McAfee, Inc. 5 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

www.foundstone.com

Copyright © 2014

McAfee, Inc. 6 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

www.foundstone.com

Copyright © 2014

McAfee, Inc. 7 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

www.foundstone.com

Copyright © 2014

McAfee, Inc. 8 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

www.foundstone.com

Copyright © 2014

McAfee, Inc. 9 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

www.foundstone.com

Copyright © 2014

McAfee, Inc. 10 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

RADIUS Remote Access Dial-In User Service

www.foundstone.com

Copyright © 2014

McAfee, Inc. 11 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

Getting old people on the Internet DSL/Dial-Up Access

www.foundstone.com

Copyright © 2014

McAfee, Inc. 12 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

Anonymity for l33tz VPN

www.foundstone.com

Copyright © 2014

McAfee, Inc. 13 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

Network Access 802.1x (wired/wireless)

www.foundstone.com

Copyright © 2014

McAfee, Inc. 14 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

RADIUS

Fuzz

www.foundstone.com

Copyright © 2014

McAfee, Inc. 15 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

User Access Server RADIUS Server

Flow

www.foundstone.com

Copyright © 2014

McAfee, Inc. 16 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

Supplicant Authenticator Authentication Server

Flow (IEEE 802.1x)

www.foundstone.com

Copyright © 2014

McAfee, Inc. 17 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

TRUSTED UNTRUSTED

www.foundstone.com

Copyright © 2014

McAfee, Inc. 18 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

TRUSTED UNTRUSTED

Targeting RADIUS Servers

from Untrusted Networks

www.foundstone.com

Copyright © 2014

McAfee, Inc. 19 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

User Access Server RADIUS Server

Flow

HTTP

PPP

VPN

Switch

Access Point

www.foundstone.com

Copyright © 2014

McAfee, Inc. 20 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

User Access Server RADIUS Server

Flow

RADIUS

PROTOCOL

www.foundstone.com

Copyright © 2014

McAfee, Inc. 21 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

User Access Server RADIUS Server

Flow User Database

Active Directory

SecurID

LDAP

www.foundstone.com

Copyright © 2014

McAfee, Inc. 22 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

Surface

www.foundstone.com

Copyright © 2014

McAfee, Inc. 23 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

RA

DIU

S H

an

dle

r RA

DIU

S H

an

dle

r

Surface

www.foundstone.com

Copyright © 2014

McAfee, Inc. 24 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

Surface C

lien

t Ha

nd

ler

www.foundstone.com

Copyright © 2014

McAfee, Inc. 25 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

Surface

Mgmt Web UI Mgmt Web UI

www.foundstone.com

Copyright © 2014

McAfee, Inc. 26 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

Surface

External Auth Handler

Mgmt Web UI

www.foundstone.com

Copyright © 2014

McAfee, Inc. 27 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

Surface Mgmt Web UI

Mgmt Web UI Mgmt Web UI

StringMutator.Data.cs: namespace Peach.Core.Mutators { public partial class StringMutator { static readonly string[] values = new string[] {

LDAP Injection XSS SQL Injection CMD Injection etc… } }

www.foundstone.com

Copyright © 2014

McAfee, Inc. 28 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

Protocol

www.foundstone.com

Copyright © 2014

McAfee, Inc. 29 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

Authentication

Accounting

(Don’t care about)

RFC 2865

RFC 2866

www.foundstone.com

Copyright © 2014

McAfee, Inc. 30 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

UDP 1645

Shared Secret Used for various purposes

Lame

Source IP Filters Bypassed w/ encapsulation/spoofing

Key-Wrap

Only for keys later on

1812

www.foundstone.com

Copyright © 2014

McAfee, Inc. 31 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

code

Packetz

1: Access-Request 2: Access-Accept 3: Access-Reject 11: Access-Challenge

Radius.xml:RADIUS-Header

www.foundstone.com

Copyright © 2014

McAfee, Inc. 32 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

code Pkt Id Length

Packetz Radius.xml:RADIUS-Header

www.foundstone.com

Copyright © 2014

McAfee, Inc. 33 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

code Pkt Id Length

Authenticator

Packetz

./john –-format=dynamic_1008 radius.john

Radius.xml:RADIUS-Header

www.foundstone.com

Copyright © 2014

McAfee, Inc. 34 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

AVPs

Type Length Value..

Value can be:

String, Address, Time, Integer

Radius.xml:AVP-*

www.foundstone.com

Copyright © 2014

McAfee, Inc. 35 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

Built In Authentication

PAP:–-format=dynamic_1009 CHAP: hashcat md5(chap)

RadiusPap Transformer

(RFC 2865)

www.foundstone.com

Copyright © 2014

McAfee, Inc. 36 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

Encapsulation RFC 2869: RADIUS Extensions

www.foundstone.com

Copyright © 2014

McAfee, Inc. 37 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

EAP RFC 3748: Extensible Authentication Protocol

type Length Value.. EAP

RADIUS AVP Eap.xml

www.foundstone.com

Copyright © 2014

McAfee, Inc. 38 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

EAP Eap.xml

Code

1: Request 2: Response 3: Success 4: Failure

www.foundstone.com

Copyright © 2014

McAfee, Inc. 39 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

EAP Eap.xml

Code Id Length

www.foundstone.com

Copyright © 2014

McAfee, Inc. 40 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

EAP Eap.xml

Code Id Length

Type Data

1: Identity – Eap.xml 3: Nak – Eap.xml 4: EAP-MD5 – EapMd5.xml 17: EAP-TLS – EapTls.xml 25: PEAP – EapPeap.xml 26: EAP_MSCHAPv2 – EapMschapv2.xml ..And more!

www.foundstone.com

Copyright © 2014

McAfee, Inc. 41 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

EAP

RADIUS

www.foundstone.com

Copyright © 2014

McAfee, Inc. 42 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

Message-Authenticator RFC 2869: RADIUS Extensions

HMAC-MD5

Would stop spoofing but..

www.foundstone.com

Copyright © 2014

McAfee, Inc. 43 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

Tools and Attax

www.foundstone.com

Copyright © 2014

McAfee, Inc. 44 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

Tools

Existing: libeap

pyradius

eapol_test* (w/ hostapd)

Releasing: Radius .Net (forked)

Eap .Net

..i know.. “ugh .Net”

www.foundstone.com

Copyright © 2014

McAfee, Inc. 45 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

Sniffing

Offline Brute-Force Shared Secret/User-Password: john

CHAP: hashcat

EAP Data..: asleap, and eapmd5pass

Clear-text Data User-name AVP/Eap Ident

NAS-Id

Calling-Station

State

www.foundstone.com

Copyright © 2014

McAfee, Inc. 46 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

Profiling

AVP-State (RADIUS)

Maintains State of the Connection

Active/Passive

Cisco: “acs/Number/Number”

MS NPS: 38 Bytes

EAP-Res/Ident Username

MS NPS: Will reject if ! valid

Others: Doesn’t matter

Msg-Auth. (RADIUS)

Cisco: Ignores

Others: Access-Reject

RadiusEapProfiler.exe

www.foundstone.com

Copyright © 2014

McAfee, Inc. 47 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

Brute-Force

Password a.k.a Active Brute

Force (..meh)

Usernames NPS: Eap-Resp/Identity

EAP-Type Client Downgrade

eapEnum.exe

Or Enumeration …whatever

www.foundstone.com

Copyright © 2014

McAfee, Inc. 48 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

The Man in the Middle (impersonation)

hostapd-WPE

FreeRADIUS-WPE

www.foundstone.com

Copyright © 2014

McAfee, Inc. 49 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

Fuzzing

DataModels

Fuzzers

Supporting Utils

PeachPits

Existing: radius-fuzzer

www.foundstone.com

Copyright © 2014

McAfee, Inc. 50 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

DataModels EAP

Eap.xml

EapFast.xml

EapGtc.xml

EapLeap.xml

EapMd5.xml

EapMschapv2.xml

EapPeap.xml

EapTls.xml

EapTlv.xml

RADIUS

Radius.xml

Supporting

Protocols

Tls.xml

Mschapv2.xml

Utilities

Utils.xml

802.1x

Ieee802.1x.xml

www.foundstone.com

Copyright © 2014

McAfee, Inc. 51 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

DataModel

Radius.xml

Cisco ACS

StateModel

Tests

VS DataModel

TekRADIUS

StateModel

Tests

VS DataModel

MS NPS/IAS

StateModel

Tests

VS DataModel

SBR/FreeRadius

StateModel

Tests

VS DataModel

Fuzzers

UDPPublisher

www.foundstone.com

Copyright © 2014

McAfee, Inc. 52 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

Publishers

RadiusPublisher.cs

DataModel

Eap.xml

8021xPublisher.cs

DataModel

Ieee8021x.xml

www.foundstone.com

Copyright © 2014

McAfee, Inc. 53 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

TLS, OHNO!

UdpClient Y u no Stream?!

www.foundstone.com

Copyright © 2014

McAfee, Inc. 54 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

DataModel

Eap.xml

TcpPublisher

EapBridge

eapol_test

Target

www.foundstone.com

Copyright © 2014

McAfee, Inc. 55 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

802.1x Publisher

RADIUS Publisher Bridge

www.foundstone.com

Copyright © 2014

McAfee, Inc. 56 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

Exploitation

&

www.foundstone.com

Copyright © 2014

McAfee, Inc. 57 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

Demo Arch

www.foundstone.com

Copyright © 2014

McAfee, Inc. 58 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

!!!!DEMO!!!!

www.foundstone.com

Copyright © 2014

McAfee, Inc. 59 Brad.Antoniewicz@foundstone.com @brad_anton @foundstone

? @brad_anton

Brad.Antoniewicz@foundstone.com

*many of the pics in this presentation were found on the

internet – credit goes to images.google.com